Today, while chatting with a co-worker, I received a PayPal notification on my cell confirming my eBay purchase of $586.00.
I love when my purchases are approved. My PayPal account sees more action than nearly any other app on my phone. But I only like hearing from PayPal when I’m buying things.
I did not buy anything on eBay today. I have not bought anything on eBay in years. Once Amazon Prime wooed me into membership, I forgot eBay existed – which is part of the problem.
My eBay is connected to my PayPal, which was connected directly to my checking account. Panic commences. My first steps were to:
- Stare at my PayPal app.
- Self doubt – “Did I buy a Ford 6.0L Powerstroke Victor Reinz Head Gasket & Head Studs?” No. What is that? Also, I drive a Nissan.
- Look for a cancel or dispute button. Find nothing.
- Login to bank account. There is no pending purchase… yet.
- Login to eBay on my computer.
- Request a cancel order.
- Cancel order three more times.
- Call PayPal.
While waiting on the phone for a human being after spending ~5 minutes explaining the issue to a lady robot, I changed my eBay password. Hopefully the criminal couldn’t make any more purchases there for now.
The PayPal representative was very nice and helpful. First, he froze my account and reset my password. Now both eBay and PayPal were protected. I explained the situation and he immediately refunded my account. He also verified all my information and notified me that there was a new address in my settings – a Trenton, NJ address.
He explained the order had already gone through and the money was going to leave my bank account, but I could transfer the refund to my bank now to break even. I thanked him and we hung up. It was really easy, and that is really rare. Many hacked accounts are hard to reclaim.
How my account was compromised
Firstly, the person in Trenton who ordered the head gasket is 100% not a hacker. eBay was hacked in 2014 and the site requested all users change their passwords. I did not, because I forgot eBay existed.
There is a black market for selling website credentials. When a site like LinkedIn or eBay is hacked, the hackers can collect thousands (if not millions) of usernames and passwords which they then sell. They can sell 100 usernames to one person, and 5,000 to another depending on what the buyer can afford. With this list in hand, the thief will try each password and username they purchased until finding the ones that work. Reply All has a very interesting podcast about buying and selling passwords.
In my case, I had the same password for eBay and PayPal. I can’t be sure which account they got to first, but with that password they were able to access several websites. In using the same password I had set myself up for fraud.
Finding the thief
The thief had changed my primary shipping account to their house. It was a Trenton, NJ address. So I began:
- Google map the house. It looks scary and it’s in a bad neighborhood.
- Zillow the house. I can see it hasn’t been sold or bought recently. I look at the estimated worth, property taxes, etc. I am trying to get a feel for the people who live here, and more importantly I’m trying to decide if I think the house is being rented or not.
- Google the address for public records of people who have lived there.
At this point, I find 4 names of people who live or have lived in this location. The first two are men over 60 years old. They don’t have Facebook or any online presence that I can find, so I set their names aside.
The third name belongs to a middle-aged woman called Brenda. Brenda has a Facebook, and she still lives in Trenton. Most coincidentally – she is friends with the fourth person on my list – a late twenty-something woman named Felisha. Felisha lives in Trenton currently.
I deduce, and you may disagree with my reasoning, that Brenda and Felisha live together. Public records show they both have lived at the address and they are friends on Facebook. Neither Brenda nor Felisha are friends with the older gentlemen listed as previous residents, and I determine the men are less likely to be involved.
Felisha lives in Trenton. Her pictures are of a late twenty-something, heavy set woman with a constant mean mug. She wears all male clothing and portrays herself as very tough. If I have to guess between Brenda (her mother perhaps) or Felisha, I am assuming Felisha is the thief. Am I wrong? Maybe. It’s definitely not enough evidence to call the police. I could send Felisha a Facebook message, but I’m not a journalist and I don’t want this to get weird.
Perhaps Felisha’s friend is the thief, using Felisha’s address to throw us all off. I don’t know, and I’m not going to follow up with it because…
Two hours after the ordeal began, I received confirmation from eBay that the order was cancelled. Not only did I get my money back, but Felisha is not getting free head gaskets and the seller isn’t out almost $600. There is justice in this world.
What you need to do
Have you been hacked?
https://haveibeenpwned.com/ is a website that tracks if you have any accounts on websites that have been hacked and had user info stolen. It is a safe and reputable website, and it’s scary.
Enter your username that you use on most sites, or simply enter your email address. It will tell you what websites you are a part of that have been hacked. If you’re in the database, change your passwords.
Have several different passwords
I changed every password today on every site. PayPal, eBay, email accounts, all banking and credit cards, Facebook… you name it. You need to create a system of passwords. At least 1 password for email, 1 password for social, 1 password for banking, etc.
If a thief does get your password, they will try it on a ton of websites. Don’t let them get too far.
Enable two-factor authentication (2FA)
2FA is a system on Gmail and other platforms that will send a code to your phone or alert you in another way if your account is accessed from a new computer or device, or if your password is changed. The thief will enter your password, and then find a screen that reads “We have texted you a code to your cell phone. Please enter the code to proceed”.
Unless they also have your phone, or whatever second method of confirmation you create, the thief will likely be locked out.
If PayPal had texted me when my account was first accessed from an unknown device, all of this could have been stopped in advance. Enable 2FA on every account you can.
Enable app notifications on your phone
Allow any app that deals with your email or banking information to send you push notifications on your activity. When you buy something on Amazon Prime, get a text about it. It was the text that alerted me to the fraud and allowed me to stop it immediately. Otherwise, I may not have gotten my money back, and Felisha could have charged even more to my account.